It’s safe to say that if you work within the technology industry, you can’t get through a single conversation without AI coming up. And there’s a good reason for that.
Research shows that 78% of CISOs agree that AI-assisted cyber threats are having a significant impact on their organisation, and 45% of cybersecurity professionals do not feel prepared for the reality of AI-powered cyber threats.
However, Dave Spencer, Director of Technical Product Management at Immersive, argues that, irrespective of how concerned you are about AI-powered attacks or risks, the security fundamentals are still what really make the difference in preventing a breach.
He explains why basic cyber hygiene is in danger of being overlooked, and how to ensure businesses are prepared with the relevant cyber skills needed in the age of AI.
How has AI changed security?
Interestingly, AI is being used in rather similar ways by both attackers and defenders. AI tools are employed by both sides to rapidly automate complex or monotonous tasks. Attackers use them to generate more effective phishing interactions, while defenders use them to wade through the flood of security alerts they receive.
Of course, the obvious difference between the two sides is that whilst defenders are bound by a moral and ethical compass, attackers are not. This means cybercriminals are often able to deploy AI tools much faster than security teams can – attackers don’t care about weakening an organisation’s security posture.
Another key consideration is that, by introducing AI into business operations, it becomes yet another piece of technology that the security team must protect. AI can inadvertently create vulnerabilities that attackers can exploit if proper protocols are not in place.
One of the most pressing threats to AI is prompt injection attacks, where attackers trick Large Language Models (LLMs) into revealing sensitive information. Our own researchers have shown that tricking LLMs is not particularly difficult, and you don’t need to be highly technical to gain access to sensitive data.
In fact, we conducted a test in which participants attempted to get a GenAI chatbot to reveal sensitive information, and 88% of them succeeded in at least one level of an increasingly difficult challenge.
Ultimately, while AI has changed the security team’s role on the surface, when you dig deeper, the fundamentals remain the same. This is why strong cyber hygiene practices are more important than ever.
Why is cyber hygiene so important?
When a company is breached, the most common phrase you’ll see in their immediate statement is that a “sophisticated actor breached our systems.” And whilst the group responsible may indeed be sophisticated, the method they used likely wasn’t.
The majority of breaches occur because basic security fundamentals are not being observed. This includes failing to implement and enforce multi-factor authentication (MFA), using weak passwords, and neglecting to patch known vulnerabilities.
Yet, too many organisations are focused on the latest AI tool they could implement. That mindset is dangerous and means they’ll never be ready for a breach, because hygiene fundamentals should form the absolute baseline of any cybersecurity strategy.
It doesn’t matter if you have the latest AI-powered endpoint detection and response tool, if every device can connect to the network and access systems without requiring MFA approval.
So, why is it still such a struggle?
Much of poor cyber hygiene can be traced back to a lack of development in cyber skills across an organisation’s workforce.
Legacy cyber training, such as presentations, e-learning videos, and multiple-choice tests, remains the primary method for developing cyber skills. However, these sessions are often overly generic and fail to address the specific needs of different teams or roles.
Lacking urgency and realism, such training struggles to capture attention, leaving employees disengaged and viewing it as a poor use of their time. It essentially becomes an attendance test rather than a genuine test and development of cyber skills.
If employees are sitting through training thinking it’s a waste of time, they’re not absorbing the security information being provided, and as a result, they’re not developing good security habits. You can’t tell if they’ll be ready for when a real incident happens. Ultimately, if your cyber skills development is rubbish, your cyber hygiene standards will be too.
The core purpose of cyber training is to build readiness in employees, so they know exactly what good security looks like, and more importantly, what to do in the midst of a cyber crisis.
How can we address the problem of cyber hygiene?
We have to ditch ineffective cyber skills development programmes and replace them with training that is engaging and genuinely valuable to employees, which prepares them to deal with cyber risk. This is where cyber simulations come in.
Unlike traditional training, cyber simulations immerse people in realistic, high-pressure scenarios where they must act, not just observe. They test judgement, coordination, and the ability to follow protocols under stress. Crucially, they reinforce both crisis response and core cyber hygiene through repetition and lived experience to build readiness.
Simulations reveal weaknesses that would otherwise remain hidden. A security strategy that seems flawless on paper might have cracks when tested under real-time pressure. This approach equips individuals and teams to spot cyber risks quickly and respond effectively.
Furthermore, by actively engaging people in cybersecurity, they begin to understand the reasons behind certain practices and decisions. To the average employee, MFA might not mean much, but its importance is crystal clear to someone who understands cybersecurity.
With AI, there’s also the additional challenge that most people don’t know the difference between machine learning, LLMs, agentic AI, supervised data sets, and unsupervised data sets, or what their functions are. If an organisation can’t answer this, then how do they know when and how to leverage AI?
Simulations help employees build their understanding of AI and its distinctions, meaning they know what it’s useful for, and more importantly, understand what the risks are and how to deal with them.
Ultimately, advanced tools can’t protect you if your team isn’t prepared. True cyber resilience isn’t built through annual compliance exercises. It comes from mastering the basics, testing them under pressure, and embedding readiness into the daily rhythm of how teams work, communicate, and make decisions.
- Cybersecurity